Certutil -C and -S commands create temporary cert or cert request files for storing working versions of the objects. If the files exist when certutil is run and they are longer than the cert (req) created extraneous data remains at the end of the file. When the temp file is read back in--for certs, at least--the file length is checked against the DER encoded length, which fails.
Created attachment 281406 [details] [diff] [review] add PR_TRUNCATE to temp file create calls
Comment on attachment 281406 [details] [diff] [review] add PR_TRUNCATE to temp file create calls r=nelson for the trunk. Leaving second review request for branch.
Checking in cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.121; previous revision: 1.120 done
Fixed on trunk. Fix didn't get into branch in time for 3.11.8.
Neil fixed this on the trunk. IMO, that's good enough.